Digital Evidence Education in Schools of Law

An examination of State of Connecticut v. Julie Amero provides insight into how a general lack of understanding of digital evidence can cause an innocent defendant to be wrongfully convicted. By contrast, the 101-page opinion in Lorraine v. Markel American Insurance Co. provides legal precedence and a detailed consideration for the admission of digital evidence. An analysis of both cases leads the authors to recommend additions to Law School curricula designed to raise the awareness of the legal community to ensure such travesties of justice, as in the Amero case, don’t occur in the future. Work underway at the University of Washington designed to address this deficiency is discussed. Keywords: digital forensics, law education, ESI, admissibility, evidenc

Digital Evidence Education in Schools of Law

An examination of State of Connecticut v. Julie Amero provides insight into how a general lack of understanding of digital evidence can cause an innocent defendant to be wrongfully convicted. By contrast, the 101-page opinion in Lorraine v. Markel American Insurance Co. provides legal precedence and a detailed consideration for the admission of digital evidence. An analysis of both cases leads the authors to recommend additions to Law School curricula designed to raise the awareness of the legal community to ensure such travesties of justice, as in the Amero case, don’t occur in the future. Work underway at the University of Washington designed to address this deficiency is discussed

Generation and Handling of Hard Drive Duplicates as Piece of Evidence

An important area in digital forensics is images of hard disks. The correct production of the images as well as the integrity and authenticity of each hard disk image is essential for the probative force of the image to be used at court. Integrity and authenticity are under suspicion as digital evidence is stored and used by software based systems. Modifications to digital objects are hard or even impossible to track and can occur even accidentally. Even worse, vulnerabilities occur for all current computing systems. Therefore, it is difficult to guarantee a secure environment for forensic investigations. But intended deletions of dedicated data of disk images are often required because of legal issues in many countries. This article provides a technical framework on the protection of the probative force of hard disk images by ensuring the integrity and authenticity using state of the art technology. It combines hardware-based security, cryptographic hash functions and digital signatures to achieve a continuous protection of the image together with a reliable documentation of the status of the device that was used for image creation. The framework presented allows to detect modifications and to pinpoint the exact area of the modification to the digital evidence protecting the probative force of the evidence at a whole. In addition, it also supports the deletion of parts of images without invalidating the retained data blocks. Keywords: digital evidence, probative force hard disk image, verifiable deletion of image data, trusted imaging softwar

Justifying the need for forensically ready protocols: a case study of identifying malicious web servers using client honeypots

Client honeypot technology can find malicious web servers that attack web browsers and push malware, so called drive-by-downloads, to the client machine. Merely recording the network traffic is insufficient to perform an efficient forensic analysis of the attack. Custom tools need to be developed to access and examine the embedded data of the network protocols. Once the information is extracted from the network data, it cannot be used to perform a behavioral analysis on the attack, therefore limiting the ability to answer what exactly happened on the attacked system. Implementation of a record / replay mechanism is proposed that allows the forensic examiner to easily extract application data from recorded network streams and allows applications to interact with such data for behavioral analysis purposes. A concrete implementation of such a setup for HTTP and DNS protocols using the HTTP proxy Squid and DNS proxy pdnsd is presented and its effect on digital forensic analysis demonstrated

Workshop II

Workshop II presented by Barbara Endicott-Popovsky on USA: Forensic Readines

A methodology for calibrating forensic ready, low layer network devices /by Barbara Endicott-Popovsky.

This dissertation presents a methodology for calibrating low layer network devices. The research is motivated by the probability that as courtroom admissibility requirements become important considerations for networked systems, the demand for forensically ready systems over costly and non-scalable ad hoc digital forensic investigations will necessitate a change in network protection strategies and design, including calibration of low layer network devices used to collect forensic data in networks. The work draws from a well-established theoretical approach to penetration testing. The calibration approach described in this dissertation is a compilation of four separate projects that include verification testing of a low layer network device, the development of a generalized framework for calibrating low layer network devices, the application of the framework to calibrating a specific low layer network device, and the evaluation of the calibration protocol for completeness.;The contributions of this research provide a foundation for developing a calibration standard for low layer network devices, where none currently exists. It is part of a larger research direction that explores the development of a methodology for embedding forensics in networks.Thesis (Ph. D., Computer Science)--University of Idaho, June 2007

Is digital different?: how information creation, capture, preservation and discovery are being transformed

A landmark edited collection bringing together global experts on the impact of new technology on information services